Show in Graph
Common Information
Type Value
Value 
Masquerading - T1036
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs. This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate. ===Windows=== In another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke) An example of abuse of trusted locations in Windows would be the <code>C:\Windows\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include "explorer.exe" and "svchost.exe". ===Linux=== Another variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten) An example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binares include "rsyncd" and "dbus-inotifier". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis) Detection: Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect. If file names are mismatched between the binary name on disk and the binary's resource section, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Platforms: Linux, macOS, Windows Data Sources: File monitoring, Process monitoring, Binary file metadata Defense Bypassed: Whitelisting by file name or path Contributors: ENDGAME, Bartosz Jerzman
Details Published Attributes CTI Title
Details Website 2024-10-28 21 Malware Trends Report: Q3, 2024
Details Website 2024-10-28 25 ReliaQuest Uncovers New Black Basta Social Engineering Technique | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Details Website 2024-10-28 51 CloudScout: Evasive Panda scouting cloud services
Details Website 2024-10-27 1 Senator says domain reg firms aiding Russian disinfo spread • The Register | #cybercrime | #infosec | National Cyber Security Consulting
Details Website 2024-10-27 1 Senator says domain reg firms aiding Russian disinfo spread
Details Website 2024-10-27 0 Data Protection: What Startups Need to Know in 2025
Details Website 2024-10-27 1 When a Facebook friend request turns into a hacker’s trap | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
Details Website 2024-10-26 0 From Spyware to Phishing: Trending Malware Types & How to Stay Protected
Details Website 2024-10-26 7 The Good, the Bad and the Ugly in Cybersecurity | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Details Website 2024-10-26 0 North Korean Hackers Spreading Malware Via Fake Interviews | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
Details Website 2024-10-26 0 [Webinar Transcription] Dark Web Influence on the 2024 US Presidential Election
Details Website 2024-10-25 25 ReliaQuest Uncovers New Black Basta Social Engineering Technique
Details Website 2024-10-25 25 ReliaQuest Uncovers New Black Basta Social Engineering Technique - ReliaQuest
Details Website 2024-10-25 0 Cybersecurity Concerns with QR Codes: Staying Safe in the Digital Age | American Enterprise Institute | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Details Website 2024-10-25 30 TeamTNT’s Docker Gatling Gun Campaign
Details Website 2024-10-25 6 The Good, the Bad and the Ugly in Cybersecurity - Week 43
Details Website 2024-10-24 2 Russian propaganda includes deepfakes and sham websites : NPR | #datingscams | #russianliovescams | #lovescams | #datingscams | #love | #relationships | #scams | #pof | #match.com | #dating | National Cyber Security Consulting
Details Website 2024-10-24 12 Understanding the Initial Stages of Web Shell and VPN Threats An MXDR Analysis
Details Website 2024-10-24 0 Elections 2024: Pink Slime Journalism Overtaking Local News?
Details Website 2024-10-23 0 New Grandoreiro Banking Malware Variants Emerge with Advanced Tactics to Evade Detection
Details Website 2024-10-23 1 Real-time Blocking Of Malicious Websites
Details Website 2024-10-23 5 EDRSilencer — Red Team Tool
Details Website 2024-10-23 158 Unmasking Prometei A Deep Dive Into Our MXDR Findings
Details Website 2024-10-22 8 Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans
Details Website 2024-10-22 8 Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans - RedPacket Security